Unbounded multipart form field buffering causes memory exhaustion DoS

In Starlette versions 0.4.1 through 0.39.2, multipart/form-data parts without a filename field are buffered in memory with no size limit. Attackers can upload arbitrary large form fields causing excessive memory allocation, swapping, and eventual OOM process termination. Multiple parallel requests can render the service unusable even with reverse proxy size limits.

Upgrade to Starlette 0.40.0 or later which addresses this vulnerability. Monitor memory usage patterns and http.server.active_requests for sudden spikes. Review applications built with Starlette or FastAPI that accept form requests. Consider implementing application-level multipart size limits and rate limiting for form submissions.